2.6.35-stable review patch. If anyone has any objections, please let us know.

------------------

From: Dan Rosenberg <drosenberg@vsecurity.com>

commit 5591bf07225523600450edd9e6ad258bb877b779 upstream.

The snd_ctl_new() function in sound/core/control.c allocates space for asnd_kcontrol struct by performing arithmetic operations on auser-provided size without checking for integer overflow. If a userprovides a large enough size, an overflow will occur, the allocatedchunk will be too small, and a second user-influenced value will bewritten repeatedly past the bounds of this chunk. This code isreachable by unprivileged users who have permission to opena /dev/snd/controlC* device (on many distros, this is group "audio") viathe SNDRV_CTL_IOCTL_ELEM_ADD and SNDRV_CTL_IOCTL_ELEM_REPLACE ioctls.